• Aucun résultat trouvé

Michael A. Davis

N/A
N/A
Protected

Academic year: 2022

Partager "Michael A. Davis"

Copied!
401
0
0

Texte intégral

(1)
(2)

“Accessible but not dumbed-down, this latest addition to the Hacking Exposed series is a stellar example of why this series remains one of the best-selling security

franchises out there. System administrators and Average Joe computer users alike need to come to grips with the sophistication and stealth of modern malware, and

this book calmly and clearly explains the threat.”

—Brian Krebs, Reporter for The Washington Post and author of the Security Fix Blog

“A harrowing guide to where the bad guys hide, and how you can find them.”

—Dan Kaminsky, Director of Penetration Testing, IOActive, Inc.

“The authors tackle malware, a deep and diverse issue in computer security, with common terms and relevant examples. Malware is a cold deadly tool in hacking; the authors address it openly, showing its capabilities with direct technical insight. The result is a good read that moves quickly, filling in the gaps even for the

knowledgeable reader.”

—Christopher Jordan, VP, Threat Intelligence, McAfee; Principal Investigator to DHS Botnet Research

“Remember the end-of-semester review sessions where the instructor would go over everything from the whole term in just enough detail so you would understand all the key points, but also leave you with enough references to dig deeper where you wanted? Hacking Exposed Malware & Rootkits resembles this! A top-notch reference for novices and security professionals alike, this book provides

just enough detail to explain the topics being presented, but not too much to dissuade those new to security.”

—LTC Ron Dodge, U.S. Army

“Hacking Exposed Malware & Rootkits provides unique insights into the techniques behind malware and rootkits. If you are responsible for security, you

must read this book!”

—Matt Conover, Senior Principal Software Engineer, Symantec Research Labs

(3)
(4)

MALWARE & ROOTKITS:

MALWARE & ROOTKITS SECURITY SECRETS &

SOLUTIONS

M I C H A E L D AV I S S E A N B O D M E R A A RO N L E M A S T E R S

New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

(5)

ISBN: 978-0-07-159119-5 MHID: 0-07-159119-2

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-159118-8, MHID: 0-07-159118-4.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com.

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechan- ical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DIS- CLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages result- ing therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

(6)

—Michael A. Davis

I would like to dedicate this book to my wife Emily and our two children Elizabeth and Ryan and my grandparents Mathew and Brenda Karnes—without their support I would not be here today.

—Sean Bodmer

For my parents Earl and Sudie, who have supported and encouraged me all my life despite the odds, and for my wife Justina.

—Aaron LeMasters

(7)

Michael A. Davis

Michael A. Davis is CEO of Savid Technologies, Inc., a national technology and security consulting firm. Michael is well-known in the open source security industry due to his porting of security tools to the Windows platforms, including tools like snort, ngrep, dsniff, and honeyd. As a member of the Honeynet Project, he works to develop data and network control mechanisms for Windows-based honeynets. Michael is also the developer of sebek for Windows, a kernel-based data collection and monitoring tool for honeynets. Michael previously worked at McAfee, Inc., a leader in antivirus protection and vulnerability management, as Senior Manager of Global Threats, where he led a team of researchers investigating confidential and cutting-edge security research. Prior to being at McAfee, Michael worked at Foundstone.

Sean M. Bodmer, CISSP, CEH

Sean M. Bodmer is Director of Government Programs at Savid Corporation, Inc. Sean is an active honeynet researcher, specializing in the analysis of signatures, patterns, and the behavior of malware and attackers. Most notably, he has spent several years leading the operations and analysis of advanced intrusion detection systems (honeynets) where the motives and intent of attackers and their tools can be captured and analyzed in order to generate actionable intelligence to further protect customer networks. Sean has worked in various systems security engineering roles for various federal government entities and private corporations over the past decade in the Washington D.C. metropolitan area. Sean has lectured across the United States at industry conferences such as DEFCON, PhreakNIC, DC3, NW3C, Carnegie Mellon CERT, and the Pentagon Security Forum, covering aspects of attacks and attacker assessment profiling to help identify the true motivations and intent behind cyber attacks.

Aaron LeMasters, CISSP, GCIH, CSTP

Aaron LeMasters (M.S., George Washington University) is a security researcher specializing in computer forensics, malware analysis, and vulnerability research. The first five years of his career were spent defending the undefendable DoD networks, and he is now a senior software engineer at Raytheon SI. Aaron enjoys sharing his research at both larger security conferences such as Black Hat and smaller, regional hacker cons like Outerz0ne. He prefers to pacify his short attention span with advanced research and development issues related to Windows internals, system integrity, reverse engineering, and malware analysis. He is an enthusiastic prototypist and enjoys developing tools that complement his research interests. In his spare time, Aaron plays basketball, sketches, jams on his Epiphone Les Paul, and travels frequently to New York City with his wife.

(8)

Jason Lord

Jason Lord is currently Chief Operating Officer of d3 Services, Ltd., a consulting firm providing cyber security solutions. Jason has been active in the information security field for the past 14 years, focusing on computer forensics, incident response, enterprise security, penetration testing, and malicious code analysis. During this time, Jason has responded to several hundred computer forensics and incident response cases globally.

He is also an active member of the High Technology Crimes Investigation Association (HTCIA), InfraGard, and the International Systems Security Association (ISSA).

About the Technical Editor

Alexander Eisen is CEO of FormalTechnologies.com, an associate professor with the University of Advancing Technology, and, as a public servant, an enterprise architect for a DoD agency. Always an unconventional experimentalist, since 1999 he has played all sorts of roles—offensive and defensive, tactical and strategic—in the fields of penetration testing, enterprise incident response, forensics, RE, and security software evaluation—a career sparked by the award of an NSA-sponsored Information Assurance Fellowship for multidisciplinary research in Computer Science, Crypto, and Law. He has led over a dozen major red team and incident response efforts for the DoD and affiliated organizations, many of which have received widespread media coverage such as

“Pentagon 1500 hacked.” As a core member of the National Cyber Initiative, he has researched large-scale enterprise incident response and software assurance methodologies. With certifications from the Defense Language Institute, Defense Cyber Crime Center Training Academy, (ISC)2, and the Committee on National Security Systems, he is an active member of InfraGard, AFCEA, IEEE, and various federal advisory boards. He has spoken internationally on emerging security issues at many industry conferences such as Black Hat Japan and the Ukraine IT Festival and in closed venues such as the Pentagon, and has published in trade journals on topics of national infrastructure protection and IPv6. Through teaching InfoSec curriculum and supporting UAT’s NSA Center of Academic Excellence, his passion has grown toward leveraging the talent and resources of academia to explore pioneering socioeconomic technology topics. He enjoys recruiting and mentoring aspiring youth to jumpstart their careers via Scholarship for Service programs. By night, his right-brain explores visual arts, extreme sports, roasting coffee, and engineering binaural Hang drum music. His daily life is now sustained by the support of his lovely wife Marina. Codeword: BH”96mae3ajme2ie18m emsdmal2rhbkkgppsjngcpaz24.

(9)
(10)

CONTENTS

Foreword . . . xv

Acknowledgments . . . xix

Introduction . . . xxi

Part I Malware

Case Study: Please Review This Before Our Quarterly Meeting . . . 2

1 Method of Infection . . . 7

This Security Stuff Might Actually Work . . . 8

Decrease in Operating System Vulnerabilities . . . 9

Perimeter Security . . . 10

Why They Want Your Workstation . . . 11

Intent Is Hard to Detect . . . 12

It’s a Business . . . 13

Signifi cant Malware Propagation Techniques . . . 14

Social Engineering . . . 15

File Execution . . . 17

Modern Malware Propagation Techniques . . . 21

StormWorm (Malware Sample: trojan.peacomm) . . . 22

Metamorphism (Malware Sample: W32.Evol, W32.Simile) . . . 24

Obfuscation . . . 25

Dynamic Domain Name Services (Malware Sample: W32.Reatle.E@mm) . . . 29

Fast Flux (Malware Sample: trojan.peacomm) . . . 29

Malware Propagation Injection Vectors . . . 31

Email . . . 31

Malicious Websites . . . 35

Phishing . . . 37

Peer-To-Peer (P2P) . . . 43

Worms . . . 46

(11)

Samples from the Companion Website . . . 47

Summary . . . 48

2 Malware Functionality . . . 49

What Malware Does Once It’s Installed . . . 50

Pop-Ups . . . 50

Search Engine Redirection . . . 54

Data Theft . . . 62

Click Fraud . . . 63

Identity Theft . . . 65

Keylogging . . . 69

Malware Behaviors . . . 73

Identifying Installed Malware . . . 76

Typical Install Locations . . . 76

Installing on Local Drives . . . 77

Modifying Timestamps . . . 77

Affecting Processes . . . 77

Disabling Services . . . 78

Modifying the Windows Registry . . . 79

Summary . . . 79

Part II Rootkits

Case Study: The Invisible Rootkit That Steals Your Bank Account Data . . . 82

Disk Access . . . 83

Firewall Bypassing . . . 83

Backdoor Communication . . . 83

Intent . . . 84

3 User-Mode Rootkits . . . 85

Maintain Access . . . 86

Network-Based Backdoors . . . 87

Stealth: Conceal Existence . . . 87

Types of Rootkits . . . 88

Timeline . . . 89

User-Mode Rootkits . . . 89

What Are User-Mode Rootkits? . . . 91

Background Technologies . . . 92

Injection Techniques . . . 94

Hooking Techniques . . . 106

User-Mode Rootkit Examples . . . 107

Summary . . . 117

(12)

4 Kernel-Mode Rootkits . . . 119

Ground Level: x86 Architecture Basics . . . 120

Instruction Set Architectures and the Operating System . . . 121

Protection Rings . . . 121

Bridging the Rings . . . 123

Kernel Mode: The Digital Wild West . . . 123

The Target: Windows Kernel Components . . . 124

The Win32 Subsystem . . . 124

What Are These APIs Anyway? . . . 126

The Concierge: NTDLL.DLL . . . 126

Functionality by Committee: The Windows Executive (NTOSKRNL.EXE) . . . 127

The Windows Kernel (NTOSKRNL.EXE) . . . 127

Device Drivers . . . 128

The Windows Hardware Abstraction Layer (HAL) . . . 128

Kernel Driver Concepts . . . 129

Kernel-Mode Driver Architecture . . . 129

Gross Anatomy: A Skeleton Driver . . . 131

WDF, KMDF, and UMDF . . . 132

Kernel-Mode Rootkits . . . 133

What Are Kernel-Mode Rootkits? . . . 133

Challenges Faced by Kernel-Mode Rootkits . . . 134

Getting Loaded . . . 134

Gaining Execution . . . 135

Communicating with User Mode . . . 135

Remaining Stealthy and Persistent . . . 136

Methods and Techniques . . . 136

Kernel-Mode Rootkit Samples . . . 156

Klog by Clandestiny . . . 156

AFX by Aphex . . . 160

FU and FUTo by Jamie Butler, Peter Silberman, and C.H.A.O.S . . . . 162

Shadow Walker by Sherri Sparks and Jamie Butler . . . 164

He4Hook by He4 Team . . . 167

Sebek by The Honeynet Project . . . 170

Summary . . . 171

Summary of Countermeasures . . . 171

5 Virtual Rootkits . . . 173

Overview of Virtual Machine Technology . . . 174

Types of Virtual Machines . . . 174

The Hypervisor . . . 175

Virtualization Strategies . . . 178

Virtual Memory Management . . . 178

Virtual Machine Isolation . . . 179

(13)

Virtual Machine Rootkit Techniques . . . 179

Rootkits in the Matrix: How Did We Get Here?! . . . 179

What Is a Virtual Rootkit? . . . 180

Types of Virtual Rootkits . . . 181

Detecting the Virtual Environment . . . 182

Escaping the Virtual Environment . . . 189

Hijacking the Hypervisor . . . 190

Virtual Rootkit Samples . . . 191

Summary . . . 198

6 The Future of Rootkits: If You Think It’s Bad Now… . . . 199

Increases in Complexity and Stealth . . . 200

Custom Rootkits . . . 207

Summary . . . 208

Part III Prevention Technologies

Case Study: A Wolf in Sheep’s Clothing . . . 210

Rogue Software . . . 210

Great Interface . . . 213

They Work! Sometimes… . . . 213

7 Antivirus . . . 215

Now and Then: The Evolution of Antivirus Technology . . . 216

The Virus Landscape . . . 217

Defi nition of a Virus . . . 218

Classifi cation . . . 218

Simple Viruses . . . 220

Complex Viruses . . . 222

Antivirus—Core Features and Techniques . . . 224

Manual or “On-Demand” Scanning . . . 224

Real-Time or “On-Access” Scanning . . . 225

Signature-Based Detection . . . 225

Anomaly/Heuristic-Based Detection . . . 227

A Critical Look at the Role of Antivirus Technology . . . 228

Where Antivirus Excels . . . 228

Top Performers in the Antivirus Industry . . . 229

Challenges for Antivirus . . . 232

Antivirus Exposed: Is Your Antivirus Product a Rootkit? . . . 238

Patching System Services at Runtime . . . 239

Hiding Threads from User Mode . . . 241

A Bug? . . . 241

The Future of the Antivirus Industry . . . 243

Fighting for Survival . . . 243

(14)

Death of an Industry? . . . 244

Possible Antivirus Replacement Technologies . . . 245

Summary and Countermeasures . . . 247

8 Host Protection Systems . . . 249

Personal Firewall Capabilities . . . 250

McAfee . . . 251

Symantec . . . 252

Checkpoint . . . 254

Personal Firewall Limitations . . . 255

Pop-Up Blockers . . . 258

Internet Explorer . . . 258

Firefox . . . 259

Opera . . . 259

Safari . . . 259

Chrome . . . 260

Example Generic Pop-Up Blocker Code . . . 261

Summary . . . 264

9 Host-Based Intrusion Prevention . . . 267

HIPS Architectures . . . 268

Growing Past Intrusion Detection . . . 271

Behavioral vs. Signature . . . 272

Behavioral Based . . . 273

Signature Based . . . 274

Anti-Detection Evasion Techniques . . . 275

How Do You Detect Intent? . . . 279

HIPS and the Future of Security . . . 280

Summary . . . 281

10 Rootkit Detection . . . 283

The Rootkit Author’s Paradox . . . 284

A Quick History . . . 285

Details on Detection Methods . . . 288

System Service Descriptor Table Hooking . . . 288

IRP Hooking . . . 289

Inline Hooking . . . 290

Interrupt Descriptor Table Hooks . . . 290

Direct Kernel Object Manipulation . . . 290

IAT Hooking . . . 290

Windows Anti-Rootkit Features . . . 291

Software-Based Rootkit Detection . . . 292

Live Detection vs. Offl ine Detection . . . 293

System Virginity Verifi er . . . 293

IceSword and DarkSpy . . . 295

(15)

RootkitRevealer . . . 297

F-Secure’s Blacklight . . . 297

Rootkit Unhooker . . . 298

GMER . . . 301

Helios and Helios Lite . . . 302

McAfee Rootkit Detective . . . 305

Commercial Rootkit Detection Tools . . . 306

Offl ine Detection Using Memory Analysis: The Evolution of Memory Forensics . . . 307

Virtual Rootkit Detection . . . 316

Hardware-Based Rootkit Detection . . . 316

Summary . . . 317

11 General Security Practices . . . 319

End-User Education . . . 320

Security Awareness Training Programs . . . 320

Defense in Depth . . . 323

System Hardening . . . 324

Automatic Updates . . . 325

Virtualization . . . 325

Baked-In Security (from the Beginning) . . . 326

Summary . . . 327

Appendix System Integrity Analysis: Building Your Own Rootkit Detector . . . 329

What Is System Integrity Analysis? . . . 331

The Two Ps of Integrity Analysis . . . 333

Pointer Validation: Detecting SSDT Hooks . . . 335

Patch/Detour Detection in the SSDT . . . 340

The Two Ps for Detecting IRP Hooks . . . 353

The Two Ps for Detecting IAT Hooks . . . 358

Our Third Technique: Detecting DKOM . . . 358

Sample Rootkit Detection Utility . . . 366

Index . . . 367

(16)

FOREWORD

FOREWORD BY LANCE SPITZNER,

PRESIDENT OF THE HONEYNET PROJECT

Malware. In my almost 15 years in information security, malware has become the most powerful tool in a cyber attacker’s arsenal. From sniffing financial records and stealing keystrokes to peer-to-peer networks and auto updating functionality, malware has become the key component in almost all successful attacks. This has not always been true. I remember when I first started in information security in 1998, deploying my first honeypots. These allowed me to watch attackers break into and take over real computers.

I learned firsthand their tools and techniques. Back in those days, attackers began their attack by manually scanning entire network blocks. Their goal was to build a list of IP addresses that they could access on the Internet. After spending days building this database, they would return, probing common ports on each computer they found, looking for known vulnerabilities such as vulnerable FTP servers or open Window file shares. Once these vulnerabilities were found, the attackers would return to exploit the system. This whole process of probing and exploiting could take anywhere from several hours to several weeks and required different tools for each stage in the process. Once exploited, the attacker would upload additional tools, each of which had a unique purpose and usually ran manually. For example, one tool would clear out the logs;

another tool would secure the system; another tool would retrieve passwords or scan for other vulnerable systems. You could often judge just how advanced the attacker was by the number of mistakes he or she made in running different tools or executing system commands. It was a fun and interesting time, as you could watch and learn from attackers and identify them and their motivations. It almost felt as if you could make a personal connection with the very people breaking into your computers.

Fast forward to the present. Things are radically different nowadays. In the past, to attack and compromise a computer, almost every step involved manual interaction.

(17)

Today, almost all attacks are highly automated, using the most advanced tools and technology. In the past, you could watch and learn about threats, recording every step an attacker took. Today, the entire process is a highly calculated event that happens in mere seconds. There is no one to watch or learn from. Every step of the attack, from initial probe to compromise to data collection is now prepackaged into some of the most advanced technology we have ever seen—malware. These bundled tools enable attackers to compromise literally millions of systems around the world easily. When viruses were first released, they were simple tools that modified several files on the system and perhaps stole some documents or attempted to crack system passwords. Today malware has become extremely sophisticated and can read the victim’s memory and infect boot sectors, BIOS, and kernel-based rootkits.

Even more amazing is malware’s ability to create and maintain control of entire networks of compromised systems using botnets. These botnets are highly organized networks under the cyber criminals’ control. Cyber criminals use them to harvest data and send out spam, attack other networks, or host phishing websites. Modern malware makes these botnets possible. To make things worse, cyber attackers take malware from around the world and constantly build upon and improve it. As I write this foreword, the world is recovering from one of the most advanced malware attacks ever seen, Conficker. Literally millions of computers were compromised and controlled by a highly organized team of criminals. The attacks were so successful that entire government organizations, including the United States Department of Defense, had to ban the use of mobile media to simply slow the spread. Conficker also introduced some of the most advanced functionality we have ever seen in malware, from using the latest in cryptographic technology to random domain name generation and autonomous peer-to- peer communications. Unfortunately, the threat is only getting worse. Antivirus companies are detecting literally thousands of new malware variants every day, and these numbers are only growing.

One of the biggest changes we have seen with malware is not just the technology, but the attackers behind the technology and their motivations for developing malware. Most of the attackers I originally monitored could be categorized as script kiddies, unskilled teenagers simply using tools copied from others. They launched attacks for their own amusement or to impress their friends. There was also a small select group who developed and used their own tools, but were often motivated by a sense of intellectual curiosity and the challenge of either testing their tools or compromising systems, or they wanted to make a name for themselves. The threat we face today is far different; it has become much more organized, efficient, and lethal.

Today, we face highly organized criminals who are focused on their return on investment (ROI). They have research and development teams who develop the most profitable attacks. Just like any business with its own profit centers, these criminals focus on efficiency and scales of economies, attempting to make as much money as possible on a global scale. In addition, these criminals have developed their own black market in malware. Just as with any other economy, you can find an entire black market where criminal organizations trade and sell the latest malware tools. Malware has even become a service. Criminals will develop customized malware for clients or rent malware as a

(18)

service—services that include support, updates, and even performance contracts. For example, criminals can develop customized malware guaranteed to bypass most antivirus programs or designed to exploit unknown vulnerabilities.

Nation-state entities are also developing the latest cyber warfare tools. These are entities with almost unlimited budgets and access to the most advanced minds and skills in the world. The malware they develop is designed to quietly infiltrate and take over other countries and gather as much intelligence as possible, as we’ve seen in recent attacks on U.S. government networks. Nation-state attacks using malware can also disrupt the cyber activities of other countries; for instance, consider the cyber distributed denial of service attacks on Georgia and Estonia, which were organized and launched by malware. Malware has become the common element in almost all attacks we see today.

To defend your networks, regardless of who the attackers are, you must understand and defend against malware.

I was excited to see Michael Davis take the lead and coauthor this book on malware for Windows. I cannot think of a better and more qualified person. I have known Mike for almost ten years now, since he first joined the Honeynet Project as one of our top researchers for Windows. Mike developed one of our most powerful data capture tools, sebek. Sebek is an advanced kernel Windows tool. In addition, Mike has extensive experience with malware and antivirus from his days at McAfee. He also has a great deal of experience working with and helping secure clients from around the world. He understands the challenges organizations face. He also sees firsthand how malware has become one of the greatest threats to organizations today.

Hacking Exposed Malware & Rootkits is an amazing resource. It is timely, focused, and what we need to better understand and defend against one of the greatest cyber threats we face. I cannot recommend this book enough.

—Lance Spitzner, President of the Honeynet Project

(19)
(20)

ACKNOWLEDGMENTS

I would like to thank Jane, our editor, for her diligent commitment to keeping us on track even though it may have seemed impossible at times. I would also like to acknowledge the great team of people at Savid Technologies who allowed me to take time off to focus on writing.

—Michael A. Davis First and foremost, I need to thank my editor, Jane, who gave me so much positive feedback and constructive criticism, as this is my first publication. Without her, I would not have known which way was up at times. Also, my homie, Tj Egan, for helping kill mobs on Forgotten Coast (GO ALLIANCE) to relieve the stress when writing got tough.

I also cannot finish without thanks to Zac Culbertson and the Cowboy Café for giving me a place to come and think while writing this book. There is no better place in Arlington, Virginia, for a g33k to eat, drink, and think when looking to relax away from the chaos that is Washington DC.

—Sean Bodmer I would like to extend my gratitude and appreciation to our technical editor, Alex Eisen, without whom I would not be typing this acknowledgement. Thanks Alex (until next time). I also want to thank my editor and coauthors for making this opportunity a reality for me and sharing the suffering through countless hours of painful authoring woes. I would not be where I am today without the guidance of Dr. Ray Vaughn and other distinguished professors at my undergraduate alma mater, Mississippi State University.

I would be remiss if I did not also mention the wealth of security researchers in the community—past, present, and future—who have made this industry what it is today and continue to redefine the boundaries of cyber security due to their passionate work.

—Aaron LeMasters

(21)
(22)

INTRODUCTION

THE INSIDER THREAT NO LONGER COMES FROM THE “INSIDE”

Every security conference and security study today is focused on getting enterprise security administrators and home users to understand the threat from the inside. Insider threats are growing and becoming more malicious. Theft for financial gain, IT sabotage, and business advantage are the three largest categories of insider attacks. Security experts say the user is causing the problem and the user is the threat. The experts are technically correct, but the actual user himself or herself is not always the true threat to an organization but rather the role or access that user has. If a secretary has enough user privileges to view the Accounting folder on the network file share, then so does the malware that infected her machine.

Today’s malware is taking over or emulating the insider role by bypassing external defenses, executing on machines, and running within the insider’s user account, enabling the malware to attack, control, and access the same resources as the insider. So in Hacking Exposed Malware & Rootkits, we focus on the capabilities and techniques used by malware in today’s world. Malware is the insider, and attackers want to maintain control of this insider role. Here, we focus on the protections that do and do not work in solving the malware threat and ultimately the insider threat. As the original Hacking Exposed books emphasize, whether you’re a home user or part of the security team for a Global 100 company, you must be vigilant. Keep a watchful eye on malware and you’ll be rewarded—

personally and professionally. Do not let your machine become another zombie in the endless malware army.

(23)

Navigation

We have used the popular Hacking Exposed format for this book; every attack technique is highlighted in the margin like this:

This Is an Attack Icon

Making it easy to identify specific malware types and methodologies.

Every attack is countered with practical, relevant, field-tested workarounds, which have their own special icon:

This Is the Countermeasure Icon

Get right to fixing the problem and keeping the attackers out.

• Pay special attention to highlighted user input as bold text in the code listing.

• Every attack is accompanied by an updated Risk Rating derived from three components based on the authors’ combined experience:

Popularity: The frequency of use in the wild against live targets, 1 being most rare, 10 being widely used

Simplicity: The degree of skill necessary to execute the attack, 1 being a seasoned security programmer, 10 being little or no skill

Impact: The potential damage caused by successful execution of the attack, 1 being revelation of trivial information about the target, 10 being superuser account compromise or equivalent

Risk Rating: The preceding three values averaged to give the overall risk rating.

ABOUT THE WEBSITE

Since malware and rootkits are being released all the time, you can find the latest tools and techniques on the Hacking Exposed Malware & Rootkits website at http://www .malwarehackingexposed.com. The website contains the code snippets and tools mentioned in the book as well as some never-before released tools discussed in the Appendix. We’ll also keep a copy of all the tools mentioned in the book so you can download them even after the maintainer has stopped writing the tool.

(24)

I

Malware

(25)

According to recent security studies from Symantec and GFI that were published in April 2009, customized and targeted spam and malware attacks are on the rise once again.

Furthermore, the customization of code, due to the professionalization of the malware industry, has led to a lackluster prevention and detection rate by the security industry.

Symantec detected nearly 1.66 million malicious code threats in 2008, up significantly from 2007. The number of new malicious code signatures grew by 265 percent during the same time period. As malware authors continue to develop code and ensure that it functions well in new environments, they will consistently tweak and tune their malware to make the most Return on Investment (RoI). To top it off, Trojans make up nearly 70 percent of the top 50 malicious code samples because they are very effective at keeping and allowing remote access to a compromised machine at a later date. The marriage of the customized email techniques learned from phishing in combination with innovative ways to trick antivirus by creating new unique malicious code has made scenarios such as this one possible.

Tuesday 3:20 pm A fake but very realistic email is sent to the ten executives on the company’s management team from what appears to be the CEO of a medium-sized manufacturing firm. The email is titled, “Please review this before our meeting,” and it asks them to save the attachment and then rename the file extension from .zip to .exe and run the program. The program is a plug-in for the quarterly meeting happening that Friday and the plug-in is required for viewing video that will be presented. The CEO mentions in the message that the executives have to rename the attachment because the security of the mail server does not allow him to send executables.

The executives do as they are told and run the program. Those who would normally be suspicious see that their fellow coworkers received the same email so it must be legitimate. Also, with the email being sent late in the day, some don’t receive it until almost 5 pm and they don’t have time to verify with the CEO that he sent the email.

The attached file is actually a piece of malware that installs a keystroke logger on each machine. Who would create such a thing and what would their motive be? Let’s meet our attacker.

Bob Fraudster, our attacker, is a programmer at a small local company. He primarily programs using web-based technologies such as ASP.NET and supports the marketing efforts of the company by producing dynamic web pages and web applications. Bob decides that he wants to make some extra money since his job just made him take a pay cut due to the recession. Bob goes to Google.com to research bots and botnets, as he heard they can generate tons of money for operators and he thought it might be a good way to make some extra cash. Over the course of the next month or so, he joins IRC, listens to others, and learns about the various online forums where he can purchase bot software to implement click fraud and create some revenue for himself. Through Bob’s research, he knows that the majority of antivirus applications can detect precompiled bots so he wants to make sure he gets a copy of source code and compiles his own bot.

(26)

HTTP, all of Bob’s bot traffic will be encrypted and will go right through most content- filtering technology as well. Bob signs up as an Ad Syndicator with various search engines such as Google and MSN. As an Ad Syndicator, he’ll display ads from the search engine’s ad rotation programs like AdSense on his website and receive a small fee (pennies) for each click on an ad that is displayed on his website.

Bob uses some of the exploits he purchased with the bot in addition to some application-level vulnerabilities he purchased to compromise web servers around the world. Using standard web development tools, he modifies the HTML or PHP pages on the sites to load his ad syndication username and password so his ads are displayed instead of their own. Essentially, Bob has forced each website he has hacked into to syndicate and display ads that, when a user clicks them, will send money to him instead of the real website operators. This method of receiving money when a user clicks an advertisement on your website is called pay-per-click (PPC) advertising, and it is the root of all of Google’s revenue.

Next, Bob packages up the malware using the armadillo packer so it looks like a new PowerPoint presentation from the company’s CEO. He crafts a specific and custom email message that convinces the executives the attachment is legitimate and from the CEO.

Now they just have to open it. Bob sends a copy of this presentation, which actually installs his bot, every 30 minutes or so to a variety of small businesses’ email addresses he purchased. Since Bob had worked in marketing and implemented some email campaigns, he knows that he can purchase a list of email addresses rather easily from a company on the Internet. It is amazing how many email addresses are available for purchase on the Internet. Bob focuses his efforts on email addresses that look like they are for smaller businesses instead of corporate email addresses because he knows many enterprises use antivirus at their email gateways and he doesn’t want to tip off any antivirus vendors about his bot.

Bob is smart and knows that many bots that communicate via IRC are becoming easier to detect so he purchases a bot that communicates with this privately rented server via SSL over HTTP. Using custom GET requests, the bot interacts by sending command and control messages with specific data to his web server, just like a normal browser interacts with any other website. Bob’s bot communicates via HTTP so he doesn’t have to worry about a firewall running on the machines he wants to infect, preventing his bot from accessing his rented web server since most firewalls allow outgoing traffic on port 443. Also, web content filtering isn’t a worry for him since he is transferring data that looks innocent. Plus, when he wants to steal financial data from victims that watch the corporate PowerPoint presentation, he can just encrypt it and the web filtering will never see the data. Since he didn’t release his bot using a mass propagation worm, the victim’s antivirus won’t detect it was installed either, as the anti-virus programs have no signatures for this bot.

Once installed, the bot runs instead of Internet Explorer as a Browser Helper Object (BHO), which gives the bot access to all of the company’s normal HTTP traffic and all of the

(27)

master bot server and queries the server to receive its list of the compromised websites to connect to and start clicking advertisements.

Once the bot receives the list of links to visit, it saves the list and waits for the victim to use Internet Explorer normally. While the victim is browsing CNN.com to learn about the latest bank bailout, the bot goes to a site in its list of links to find an ad to click. The bot understands how the ad networks work so it uses the referrer of the site the victim is actually viewing (e.g., CNN.com) to make the click on the ad look legitimate. This fools the advertisement company’s antifraud software. Once the bot clicks the ad and views the advertisement’s landing page, it goes off to the next link in its list. The method the bot uses makes the logs in the advertising companies’ servers look like a normal person viewed the advertisement, which reduces the potential that Bob’s advertising account will be flagged as fraudulent and he will be caught.

In order to remain hidden and generate as much revenue for himself as possible, Bob set the bot to continue clicking advertisements in a very slow manner over the course of a couple weeks. This helps ensure the victims don’t notice the extra load on their computers and that Bob’s bot isn’t caught for fraud.

Bob has successfully converted the company’s workstations into the equivalent of an ATM, spitting out cash into a street while he holds a bag to catch the money.

Other stealth techniques Bob employs make sure that the search engines his hosted bot server uses to find real data don’t detect his fraud either. To prevent detection, the bot uses a variety of search engines such as Google, Yahoo, AskJeeves, and so on, to implement its fraud. The more search engines it uses within the fraud scheme the more money Bob can make.

Bob needs to use the search engines because they are the conduit for the fraud. The ads clicked are from the advertisements placed on hacked websites that Bob broke into a few weeks ago. Of the ads the bot clicked on the compromised websites, only 10 percent are from Google and the rest are from other sources including other search engines. The bot implements a random click algorithm that clicks the ad link only half of the time just to make it even more undetectable by the search engine company.

Using the low and slow approach doesn’t mean it will take long for Bob to start making money. For example, using just Google, let’s assume Bob’s stealth propagation (e.g., slowly spreads) malware infects 10,000 machines; each machine clicks a maximum of 20 ads and picks Google ads only 50 percent of the time for a total of 100,000 ads clicked. Let’s also assume that Bob chooses to display ads that when clicked will generate revenue of $0.50 per click. Using this approach, the attacker generates $50,000 in revenue (10,000 × 20 × 50% × $.50). Not bad for a couple weeks worth of work.

Now that we understand Bob’s motives and how he plans to attack, let’s return to our factitious company and analyze how they are handling the malware outbreak. Since Bob wants to remain inconspicuous, the malware, once running, reports to a central server via SSL over HTTP and requests and sends copies of all username and passwords typed into websites by the company’s employees. Because Bob built his bot using a BHO,

(28)

happening over SSL via HTTP to Bob’s rented website, which is not flagged as a bad site by the company’s proxy, nothing is blocked.

Wednesday 8:00 am The malware propagates by sending itself to all the users in the corporate address book of the executives who received the same message from the CEO.

It also starts infecting other machines by exploiting network vulnerabilities in the unpatched machines and machines that are running older versions of Microsoft Windows that IT hasn’t had a chance to update yet. Why didn’t the CIO approve the patch management product the network security team proposed to buy and implement last year?

Wednesday 4:00 pm Hundreds of employees are now infected, but the rumor of the application from the email needing to be installed has reached IT, and they start to investigate. IT finds that this may be malware, but their corporate antivirus and email antivirus didn’t detect it so they aren’t sure what the executable does. They have no information about the executable being malicious, its intent, or how the malware operates.

They place their trust in their security vendors and send samples to their antivirus vendor for analysis.

Thursday 10:00 am IT is scrambling and attempting to remove the virus using the special signatures received from the antivirus vendor last night. It is a cat-and-mouse game with IT barely keeping ahead of the propagation. IT decided to turn off all workstations companywide last night, including those that were required by the manufacturing firm’s order processors in London. Customers were not happy.

Thursday 8:00 pm IT is still attempting to disinfect the workstations. An IT staff member starts to do analysis on his own and discovers the binary may have been written by an ex-employee based off of some strings located in the binary that reference a past scuffle between the previous CIO and Director of IT. IT contacts the FBI to determine if this could be a criminal act.

Friday 9:00 am The quarterly meeting is supposed to start but is delayed because the workstation that the CEO must use to give his presentation was infected and hasn’t been cleaned since the machine was off when IT pushed out the new antivirus updates. The CEO calls an emergency meeting with the CIO to determine what is happening. IT continues to disinfect the network and is making steady progress.

Saturday 11:00 am IT feels that they have completely removed the malware from the network. Employees will be ready to work on Monday, but IT will still have much to do as the infection caused so much damage that 30 workstations have to be rebuilt because the malware was not perfectly removed from each workstation.

(29)

not able to work. Furthermore, the CIO informs the CEO that a few employees had their identities stolen since the malware logged their keystrokes as they logged into their online bank account. The victim employees want to know what the company is going to do to help them.

Situations like the above are not uncommon. The technical details may be different for each case but the meeting on Monday that the CIO had with the CEO is all too common. No one within the manufacturing organization anticipated this it seemed, yet the industry trade magazines and every security report has said this was inevitable. The main issue in this case is that the company was unprepared. As in war, knowledge is half the battle, and yet most organizations do not understand malware, how it is written, and why it is written, and they don’t have adequate policies and processes in place to handle a full-scale bot outbreak. Because of this, in 2008, the second highest cost to an organization from malware was the cost to remove bots from the network according to Symantec’s Internet Threat Report. In our case study, the total time IT had to dedicate to get the business back up and running was high and that amount does not include any potential notifications, compliance violations, or legal costs that are the result of the malware capturing personally identifiable information.

(30)

1

Method of

Infection

(31)

T

oday’s threat landscape is more hostile than ever before. Recent advances in phishing and spam have shown that the attacker’s methods have become more psychological than technological. Users are now targeted via email and the Web and asked to give up their sensitive information, such as usernames and passwords for online banking, by websites that look so credible many people cannot even tell the difference. According to McAfee’s Site Advisor, 95 percent of over 120 thousand people who have taken their Spyware Quiz, a test that asks whether a site is safe or not, incorrectly assume a site is safe when it is verified to contain malware. McAfee’s quiz is a stunning example of the problem users face. They must decide whether something will negatively affect their machine with a quick visual inspection. Given the lack of security awareness, this important decision is akin to a four-year-old boy trying to determine if his dad really did pull a quarter from his ear or not. Once the attacker has fooled the user into downloading the malware, the attacker is free to explore the newest frontier in cyberspace—your workstation—for confidential information, usernames, and passwords, and personally identifiable information such as your Social Security Number or bank account information.

When was the last time you heard about a major virus outbreak on your local news?

Two years ago? Viruses are dead. The threat of worms and viruses to home users and corporate networks has dropped dramatically since the major outbreaks of Bagle and Netsky in 2004. However, the outbreaks did not stop because virus writers decided to pack up and go home. Instead, they stopped because their main goal, publicity, was no longer interesting. They wanted something more, such as money, sensitive information, and sustained access to unauthorized systems, to leverage those system resources, so they changed their methods, techniques, and tools, aligning them with their new motives to be discreet and target-focused. Thus began the era of malware and rootkits.

Some of the changes malware authors have experienced were forced upon them as the security industry elevated the security arms race to new levels. A decrease in the number of unauthenticated remote vulnerabilities within Microsoft’s operating system and the increased usage of perimeter security products forced attackers to elevate their game to a new level.

THIS SECURITY STUFF MIGHT ACTUALLY WORK

Security tools and products are typically looked at as items that reduce productivity and waste resources or provide no real return on investment but have to be implemented because it is “policy.” Many security products (by themselves) do not provide value, but recent changes by companies that produce software have shown dramatic decreases in the number and type of vulnerabilities. Gone are the days of an attacker tripping over a buffer overflow in a core operating system component that can be exploited for remote administrative access. Today’s vulnerabilities are much more complicated, hidden deep inside code that requires much more skill to find, and are released much less frequently;

finding them normally requires a significant investment of an attacker’s time.

Attackers are spending their time developing tools such as fuzzers and memory

(32)

This type of investment requires capital in the form of research funds or a lot of free time, which is why many vulnerabilities are discovered by security firms such as McAfee, iDefense, and TippingPoint, companies where they pay developers, instead of in- dependents, to look for new vulnerabilities.

Malware authors don’t attempt to find new “zero day” exploits to use in propagating their malware anyway; rather, they just convince the user to install the malicious software legitimately, or they wait for a software vendor to release a patch and then reverse engineer the patch and develop an exploit from it. Since many users don’t patch for days or even months or years after a patch is officially released, malware authors have a great window of opportunity to release variant after variant of their software, infecting more users.

Decrease in Operating System Vulnerabilities

Money and data were not the only motivators for the shift from viruses and worms to the vastly more complex malware and rootkits. Microsoft Windows operating system vulnerabilities that attackers can exploit remotely have been on a sharp decline since 2005, as shown in Figure 1-1.

Furthermore, the largest operating system vendor in the world, Microsoft, has made huge improvements in its security process, which has enabled Windows to move down

Figure 1-1 Critical and high-vulnerability disclosures affecting client-side applications, 2005–2008

(33)

to being only the fifth most vulnerable system according to a 2009 IBM X-Force report (see Figure 1-2).

The trend within the security research community has been to research client-side vulnerabilities such as those that can be exploited through a web browser that is compromised by loading a malicious web page or by Microsoft Office when a user opens and interprets an Office document. Microsoft isn’t the only vendor to attempt to find vulnerabilities within its desktop products. Companies such as Adobe and Skype are targets as well. There are many reasons for this shift, but part of it is that there are less and less operating system vulnerabilities being found since security researchers have spent over 20 years analyzing the operating systems in use. They want a new frontier with new challenges to explore.

Perimeter Security

Perimeter security technologies have evolved dramatically since the first major virus outbreak, the Melissa virus, in 1999. In 1999, most organizations were still struggling with how to deploy firewalls, and many that had already deployed firewalls were struggling with how to actually configure them properly. As more enterprises and home users realized that viruses and worms actually had to connect to the vulnerable service or system to exploit it, they started to leverage perimeter security products.

Firewalls, the first perimeter security product, became commonplace in organizations for all Internet-available networks and are still mandatory for any Internet-accessible

Figure 1-2 Most vulnerable operating systems in 2008

(34)

network today. For home networks, Microsoft’s XP Service Pack 2 included a rudimentary firewall that helped some home users block attacks as well, albeit not as well as it could have. Implementing a firewall limited the services that could communicate with unauthenticated external devices, thereby significantly reducing the vulnerable entry points that worms used to break into a network.

Many organizations started adding more high-speed Internet connectivity to satellite offices to replace slow and expensive ATM links, and because they didn’t want to pay or manage a complex firewall at each location, Virtual Private Networks (VPNs) matured to become much easier to manage and hence began being deployed. Having a VPN connection to the corporate network allowed companies to start denying all connections to and from a corporate office unless the data was going over the secured and authenticated VPN. This network design further reduced the number of vulnerable workstations and servers reachable by viruses and worms via the Internet.

The last technology that accelerated the change from publicity-gathering viruses and worms to data-stealing malware is the intrusion detection system (IDS) and intrusion prevention system (IPS). Many users believe that antivirus technology is the only solution to the virus and worm problem. However, IDS and IPS took the technology within antivirus systems—signature matching—and applied it to the network layer at the perimeter of the network. This change prevented viruses and worms from even making their way to the workstation. Furthermore, these systems provided an additional line of defense for the firewall, which did not deeply inspect data that it allowed through. For example, if a virus worm like Code Red attacked via port 80 through IIS, a firewall would allow it through without inspection, whereas an IPS would actually prevent the worm from traversing over port 80 to the server.

With the number of exploitable vulnerabilities publicly available decreasing and more perimeter security devices preventing remote access to machines, viruses fell back to the tried and true methods of propagation—email and the Web.

WHY THEY WANT YOUR WORKSTATION

Technology advances and the availability of attack vectors were factors in attackers changing their methods, but their target, you, ultimately made the decision for them. Authors of malware and rootkits realized that they could generate revenue for themselves by utilizing the malware they were creating to steal sensitive data, such as your online banking username and password, commit click fraud, and sell remote control of infected workstations to spammers as spam relays. They could actually receive a return on investment from the time they put into writing their malware. Your workstation was now worth much more than it was before; therefore, the attacker’s tools needed to adapt to maintain control of the infected workstation as well as infect as many workstations as possible.

The home user is not the only target of malware authors. The corporate workstation is just as juicy and inviting. Enterprise workstation users routinely save confidential corporate documents to their local workstation, log into personal accounts online such as bank accounts, and log into corporate servers that contain corporate intellectual property.

(35)

All of these items are of interest to attackers and are routinely gathered during malware infections. A very recent example of an “enterprise” target is U.S. Presidential Candidates Barack Obama and John McCain. Both candidates’ campaign systems were attacked and infiltrated by remote attackers. We can only guess at the type of information they were looking for, but the data they had access to, if it was released, could have caused significant damage to either campaign. Even what may seem like useless information is routinely stolen and sold or distributed. Items such as personal photos, secret love affair chats, which may also occur at the workplace, and email are targets as well.

INTENT IS HARD TO DETECT

The change in landscape has increased the technical challenges for malware authors, but the greatest change has been a change in intent. As mentioned before, many virus authors were writing viruses purely for ego gratification and to show off to their friends. Virus writers were part of an underground subculture that rewarded members for new techniques and for mass destruction. The race to be the smartest author caused many virus authors to push the envelope and actually release their creations, causing massive amounts of damage. These acts are synonymous with the plot of many bad movies where two boys constantly try to “one up” each other when fighting over a girl in high school but all they leave is destruction in their wake. In the end, neither gets the girl and the two boys end up in trouble and looking stupid. The same is true for virus authors who released viruses. In countries where writing viruses is illegal, the virus writers were caught and prosecuted.

Some virus authors weren’t in it for ego but for protest, as was the case with Onel A.

De Guzman. De Guzman was seen as a Robinhood in the Philippines. He wrote the portion of the ILOVEYOU virus that stole the usernames and passwords people used to access the Internet and gave the information to others to utilize. In the Philippines, where Internet access costs as much as $90 per month, many saw his virus as a great benefit. In addition to de Guzman, Dark Avenger, a Bulgarian virus author, was cited as saying he wrote viruses and released them “because they gave him a sense of political power and freedom he was denied in Bulgaria.” Malware and rootkits are not about ego or protest—

they’re about money.

Malware authors want money, and the easiest way to get it is to steal it from you.

Their intent with the programs they have written has changed dramatically. Malware and rootkits are now precision-theft tools, not billboards for shouting their accolades and propaganda to friends. Why does this shift matter?

The shift to malicious intent by authors sent a signal to those who protect users from malware that they needed to shift their detection and prevention capabilities. Viruses and worms are technical anomalies. In general, their functionality is not composed of a common set of features that normal computer users may execute, such as a word- processing application; therefore, detecting and preventing an anomaly is easier than detecting a user doing something malicious. The problem with detecting malicious intent is in who defines what is malicious. Is it the antivirus companies or the media? Different computer users have different risk tolerances so one person may be able to tolerate a

(36)

piece of malware running in return for the benefit it may provide (we will get to the benefits malware delivers later), whereas someone else may not tolerate any malware.

Understanding the intent of a legitimate user’s action is hard, if not impossible.

Governments around the world have been trying to understand the intent of human action within the law enforcement and legal system for years with little success.

Conviction rates in most countries following an Anglo-Saxon legal system (such as the United States) range from 40 to 80 percent. If the legal systems around the world, which have been dealing with this problem for hundreds of years, have a hard time determining intent, how do we stand a chance in stopping malware? We believe we do, but the battle is one that we have never seen before in the cyberwarfare community, which is why the remainder of the book focuses on arming you with the technical knowledge about how malware propagates, infects, maintains control, and steals data. Hopefully, armed with this information, you will be able to determine the intent of the applications running on your workstation and take the first step in defending your network against malware.

IT’S A BUSINESS

As mentioned previously, malware authors are focused on making a profit. Like all entrepreneurs who want to make money, they start various businesses to take advantage of the situation. The largest and most active of all the malware groups is the Russian Business Network (RBN). Russia has been on the malware scene for years, with many of the most well-known viruses and Trojans, such as Bagle, MyDoom, and Netsky, originating from Russian developers. It seems that because of the lack of high-paying IT jobs within Russia and the fact that the majority of the IT jobs are mundane and very task-oriented, the large base of young professionals with high levels of technical talent are turning to crime to get their technology fix.

Before we dive into the business of the RBN, let’s explore the organization. The RBN is nothing more than a highly scalable, redundant, and efficient hosting platform that just happens to host malware. Its hosting customers include child pornography sites, gambling, malware, and phishing sites. The RBN doesn’t care what the hosting platform is used for as long as it receives revenue.

The RBN primarily focuses its efforts into six areas:

• Phishing

• Malware

• Scams

• Distributed denial of service (DDoS)

• Pornography (including child pornography)

• Games

In order to support these efforts, the RBN has created and deployed a hosting platform that consists of one main requirement—bandwidth—and continually deploys malicious webservers, botnets, and command and control servers.

(37)

The RBN began to be seen as a distributor of malware in 2005 when it was discovered that the CoolWebSearch Malware was being distributed by servers hosted on RBN address space. The RBN continued to increase their distribution and hosting of malware through the use of exploits such as the Microsoft VRML exploit in 2006. The RBN used a variety of exploits and malware during anonymous customer attacks but its footprint was still relatively small.

Starting in 2007, with the release of the MPack attack toolkit, the RBN started to really take hold of the malware market. Although MPack may not have actually been written by the RBN, the author of MPack is Russian, and many of the initial MPack installations, including Torpig, a known malware payload, have been traced back to the RBN network.

MPack was sold to attackers for $500 to $1000 and an extra $300 included a loader to help jumpstart the malicious activities. MPack was a great step forward for the RBN as it contained over ten different exploits and attackers could choose which exploit to use based on the connecting target. It was very effective and gave the RBN something they had never really had before: metrics. Since MPack contained multiple exploits, the management console detailed which web browsers were most successfully infected, what country the web browsers originated from, and infection ratios. These metrics allowed attackers to finetune their attacks or sell a specific type of infected machine based on their inventory.

Continuing the infection spree, the RBN appears to have been behind the Bank of India incident in which the website for the Bank of India began distributing malware from the RBN’s network. Amazingly, the Bank of India site attempted to install over 20 different types of malware on a client’s computer. RBN was now definitely in the volume game of malware distribution!

Malware distribution is the RBN’s number one activity, but phishing is a close second.

The amount of disinformation and incorrect information available about the RBN has made it very difficult to link the network directly to a specific phishing attack; however, significant data shows that the RBN networks have hosted banking Trojans and other services that enabled updates to bypass antivirus, phishing content pages, and have acted as a destination for logs from installed Trojans.

The RBN, like any entrepreneurial business, has also launched retail sites that accept credit cards for fake anti-malware software and has entered into partnerships with traditional hackers in order to increase its footprint of web servers that are serving malicious traffic.

With the RBN’s massive organization and infrastructure, it is easy to see that the estimated revenue for all the RBN’s activities is around $120 million per year. With that type of revenue, you can see why the goal of the attackers has moved from owning the server to owning identities.

SIGNIFICANT MALWARE PROPAGATION TECHNIQUES

Malware traditionally employs attacks against platforms and applications such as Microsoft Windows, Linux, Mac OS, Microsoft Office Suite, and many third-party applications. Some malware has even been distributed unknowingly by manufacturers

(38)

and embedded directly in installation discs only to be discovered several months later, which was still occurring in 2008. The two most popular forms of propagation in the late 1990s were via email and direct file execution. Now as unimportant as this brief history of viruses may seem to many of you, I am highlighting several malware breakouts for significant reasons. Most important are the need to understand the evolution in techniques over the past ten years to what is commonly seen today and to understand where these methods originated. I also want to illustrate how the “old reliable” techniques still work just as well today as they did ten years ago. The security community evolved into what it is today by learning the lessons from the propagation techniques they inevitably thwarted, but they now face a serious challenge with battling and stopping attacks based on these techniques. Finally, this will serve as a quick overview for those readers who are newer in the community and were not around when these malware samples were released.

Social Engineering

Historically, the oldest and still the most effective method for delivering and propagating malware across a network is to violate human trust relationships. Social engineering involves the crafting of a story that is then delivered to a victim in hopes the victim believes the story and then performs the desired steps in order to execute the malware.

Typically, the user is unaware of the actual infection, although sometimes the delivery method or story by which the “false trust” is built is fairly shallow. Sometimes the user intuits something is wrong or an event raises his or her suspicions, and after a quick inspection, the user discovers the overall plot. The enterprise security team then attempts to remove the malware and prevent propagation through the network. Without social engineering, almost all malware today would not be able to infect systems and I would not be co-authoring this book. Following are some potentially malicious screens that might build a “false trust” in hopes that I click away and become infected or provide personal information.

(39)

Here is a short list of ambiguous filenames malware writers employ to entice unsuspecting social engineering victims to open, thus kicking off the infection process:

• ACDSee 9.exe

• Adobe Photoshop 9 full.exe

• Ahead Nero 7.exe

(40)

• Matrix 3 Revolution English Subtitles.exe

• Microsoft Offi ce 2003 Crack, Working!.exe

• Microsoft Windows XP, WinXP Crack, working Keygen.exe

• Porno Screensaver.scr

• Serials.txt.exe

• WinAmp 6 New!.exe

• Windows Sourcecode update.doc.exe

File Execution

This is what it is; file execution is the most straightforward method for malware infection.

A user clicks the file, whether renamed and/or embedded within another file, such as portable executables, Microsoft Office Documents, Adobe PDFs, or compressed zips.

The file can be delivered through the social engineering techniques just discussed or via peer-to-peer (P2P) networking, enterprise network file sharing, email, or nonvolatile memory device transfers. Today, some malware is delivered in the form of downloadable flash games that you enjoy while, in the background, your system is now the victim of someone’s sly humor such as StormWorm. Some infections come to you as simple graphic design animations, PowerPoint slides of dancing bears, and even patriotic stories. This propagation technique—file execution—is the foundation for all malware: Essentially, if you don’t execute it, then the malware is not going to infect your system. Table 1-1 lists some simple examples of various Windows-based file types that have been used to deliver malware to victims via file execution, and Figure 1-3 shows the most frequently emailed file types.

File Extension Associated Application .FLV Adobe Flash Player .DOC Microsoft Word Document .PPT Microsoft Power Point

.XLS Microsoft Excel

.EXE Executable File

.PDF Adobe Reader File Format .BAT Windows Command Batch File Table 1-1 Most Popular File Types for Distributing Malware

Références

Documents relatifs

The principle of classical HFB-ADC synthesis method is to deter- mine the synthesis filters that approach in a mean square sense the ideal synthesis filters that achieve

Pour ce qui est de l’analyse précise de l’influence de la cohésion du couple sur la socialisation de l’enfant envers ses pairs, qui était la quatrième

It consists of a parallel quasi-resonant dc-link voltage inverter (PQRDCLI) with the gate circuit power supply from an exter- nal dc/dc converter.. The primary source of

For the case of the Kalman Filter implementation, we can conclude that even when the acceleration provided by the accelerometer is not the real one, the data

Le système implémenté simule pour l’instant des intégrateurs à fuite plutôt que ces générateurs de potentiels d’action, car ceci nous permet une plus grande souplesse

Dans cet article, nous montrons que le beam steering peut être efficacement supprimé tout en conservant une bonne qualité de faisceau en champ proche grâce à l’application

EMSO is the European counterpart to similar large-scale systems in various stages of development around the world (see Favali et al., 2010): United States (Ocean Observatories

The refractive indices obtained by using mixing rules (2)–(4) are very close to those retrieved from the experimental data for both mixtures. A comparison between the